CompTIA CySA+ (CS0-002) — Question 187

A security analyst is investigating a malware infection that occurred on a Windows system. The system was not connected to a network and had no wireless capability. Company policy prohibits using portable media or mobile storage. The security analyst is trying to determine which user caused the malware to get onto the system. Which of the following registry keys would most likely have this information?

Answer options

• A. HKEY_USERS\\Software\Microsoft\Windows\CurrentVersion\Run
• B. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• C. HKEY_USERS\\Software\Microsoft\Windows\explorer\MountPoints2
• D. HKEY_USERS\\Software\Microsoft\Internet Explorer\Typed URLs
• E. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System\iusb3hub

Correct answer: B

Explanation

The correct answer is B, as this registry key is used to store programs that run at startup for all users on the machine, making it likely to contain information on user actions that could have led to the malware infection. Options A and C are user-specific and less relevant as they pertain to individual user settings. Options D and E do not pertain to startup programs and thus would not provide the needed information regarding how the malware was introduced.